janogarcia/sanitize_tinymce_content.js

## sanitize_tinymce_content.js
//
// While TinyMCE can strip out <script> tags,
// it does not remove inline JS event handlers.
//
// Example: onmouseover, onclick, etc.
//
// This should be included at the bottom of a page,
// contained inside an <iframe> to sandbox user-created
// content. The reason it is contained in an <iframe>
// is to prevent user-created CSS from affecting
// the parent page's overall look and feel.
//

(function() {
	var all = document.getElementsByTagName('*');
	var i = all.length;
	var j;

	// All inline JS events. HTML5 too.
	var events = [
		'onabort',
		'onafterprint',
		'onbeforeonload',
		'onbeforeprint',
		'onblur',
		'onblur',
		'oncanplay',
		'oncanplaythrough',
		'onchange',
		'onclick',
		'oncontextmenu',
		'ondblclick',
		'ondrag',
		'ondragend',
		'ondragenter',
		'ondragleave',
		'ondragover',
		'ondragstart',
		'ondrop',
		'ondurationchange',
		'onemptied',
		'onended',
		'onerror',
		'onerror',
		'onfocus',
		'onfocus',
		'onformchange',
		'onforminput',
		'onhaschange',
		'oninput',
		'oninvalid',
		'onkeydown',
		'onkeypress',
		'onkeyup',
		'onload',
		'onloadeddata',
		'onloadedmetadata',
		'onloadstart',
		'onmessage',
		'onmousedown',
		'onmousemove',
		'onmouseout',
		'onmouseover',
		'onmouseup',
		'onmousewheel',
		'onoffline',
		'ononline',
		'onpagehide',
		'onpageshow',
		'onpause',
		'onplay',
		'onplaying',
		'onpopstate',
		'onprogress',
		'onratechange',
		'onreadystatechange',
		'onredo',
		'onreset',
		'onresize',
		'onscroll',
		'onseeked',
		'onseeking',
		'onselect',
		'onstalled',
		'onstorage',
		'onsubmit',
		'onsuspend',
		'ontimeupdate',
		'onundo',
		'onunload',
		'onvolumechange',
		'onwaiting'
	];

	while (i--) {
		// Keeps links from opening within the <iframe>
		if (all[i].tagName.toLowerCase() === 'a' && all[i].target !== '_blank') {
			all[i].target = '_top';
		}

		j = events.length;

		while (j--) {
			all[i].removeAttribute(events[j]);
		}
	}
})();
	//
	// While TinyMCE can strip out <script> tags,
	// it does not remove inline JS event handlers.
	//
	// Example: onmouseover, onclick, etc.
	//
	// This should be included at the bottom of a page,
	// contained inside an <iframe> to sandbox user-created
	// content. The reason it is contained in an <iframe>
	// is to prevent user-created CSS from affecting
	// the parent page's overall look and feel.
	//

	(function() {
	var all = document.getElementsByTagName('*');
	var i = all.length;
	var j;

	// All inline JS events. HTML5 too.
	var events = [
	'onabort',
	'onafterprint',
	'onbeforeonload',
	'onbeforeprint',
	'onblur',
	'onblur',
	'oncanplay',
	'oncanplaythrough',
	'onchange',
	'onclick',
	'oncontextmenu',
	'ondblclick',
	'ondrag',
	'ondragend',
	'ondragenter',
	'ondragleave',
	'ondragover',
	'ondragstart',
	'ondrop',
	'ondurationchange',
	'onemptied',
	'onended',
	'onerror',
	'onerror',
	'onfocus',
	'onfocus',
	'onformchange',
	'onforminput',
	'onhaschange',
	'oninput',
	'oninvalid',
	'onkeydown',
	'onkeypress',
	'onkeyup',
	'onload',
	'onloadeddata',
	'onloadedmetadata',
	'onloadstart',
	'onmessage',
	'onmousedown',
	'onmousemove',
	'onmouseout',
	'onmouseover',
	'onmouseup',
	'onmousewheel',
	'onoffline',
	'ononline',
	'onpagehide',
	'onpageshow',
	'onpause',
	'onplay',
	'onplaying',
	'onpopstate',
	'onprogress',
	'onratechange',
	'onreadystatechange',
	'onredo',
	'onreset',
	'onresize',
	'onscroll',
	'onseeked',
	'onseeking',
	'onselect',
	'onstalled',
	'onstorage',
	'onsubmit',
	'onsuspend',
	'ontimeupdate',
	'onundo',
	'onunload',
	'onvolumechange',
	'onwaiting'
	];

	while (i--) {
	// Keeps links from opening within the <iframe>
	if (all[i].tagName.toLowerCase() === 'a' && all[i].target !== '_blank') {
	all[i].target = '_top';
	}

	j = events.length;

	while (j--) {
	all[i].removeAttribute(events[j]);
	}
	}
	})();